Andy Malone MVP,MCT, Technology Evangelist Quality Training (Scotland) Ltd & Microsoft (UK)...

Andy Malone MVP,MCT, Technology EvangelistAndy Malone MVP,MCT, Technology EvangelistQuality Training (Scotland) Ltd & Microsoft (UK)Quality Training (Scotland) Ltd & Microsoft (UK)[email protected]://blogs.quality-training.co.uk/blog

What’s New & Exciting in Windows Server 2008! – Part 2

Part 2 will cover!Part 2 will cover!

Terminal Services! What is it and why you need it!Terminal Services! What is it and why you need it!

Deploying Terminal ServicesDeploying Terminal Services

Understanding TS Licensing & TS Session Broker!Understanding TS Licensing & TS Session Broker!

Deploying TS Remote Programs!Deploying TS Remote Programs!

TS Web AccessTS Web Access

Security Update: ADRMS & Other Stuff!Security Update: ADRMS & Other Stuff!

Conclusions!Conclusions!

Terminal Services Update!Terminal Services Update!

Looks Good but What can it do for me?Looks Good but What can it do for me?

Benefits & Uses of Terminal Benefits & Uses of Terminal ServicesServices

Who should use Terminal Who should use Terminal Services?Services?

Terminal Services Installation, Terminal Services Installation, Configuration & ManagementConfiguration & Management

New Features for Security, New Features for Security, Manageability & ScalabilityManageability & Scalability

Mobile WorkerMobile WorkerIn AirportIn Airport

Branch OfficeBranch Office

Home OfficeHome Office

Central LocationCentral Location

TS System ConfigurationTS System Configuration

Terminal Services Configuration MMC snap-inTerminal Services Configuration MMC snap-in

Local Group Policy or Group Policy from ADLocal Group Policy or Group Policy from AD

Local registryLocal registryHKLM \SYSTEM \CurrentControlSet \Control \Terminal HKLM \SYSTEM \CurrentControlSet \Control \Terminal ServerServer

HKLM \SYSTEM \CurrentControlSet \Services \TermDD or \HKLM \SYSTEM \CurrentControlSet \Services \TermDD or \TermService or \tssecsrv (don’t touch!)TermService or \tssecsrv (don’t touch!)

HKLM \SOFTWARE \Microsoft \Windows NT \HKLM \SOFTWARE \Microsoft \Windows NT \CurrentVersion \Terminal ServerCurrentVersion \Terminal Server

HKLM \Software \Microsoft \Windows NT \CurrentVersion \HKLM \Software \Microsoft \Windows NT \CurrentVersion \WinlogonWinlogon

......

Installing Terminal Services!Installing Terminal Services!

Enabling Terminal Services on Server Enabling Terminal Services on Server Core!Core!

Command LineCommand LineRemote Admin modeRemote Admin mode

Cscript scregedit.wsf /ar 0Cscript scregedit.wsf /ar 0

Allow pre-Vista/Windows Server 2008 clientsAllow pre-Vista/Windows Server 2008 clientsCscript scregedit.wsf /cs 0Cscript scregedit.wsf /cs 0Reboot for the computer name change to take effect Reboot for the computer name change to take effect shutdown /t 0 /rshutdown /t 0 /r

TS – Server Core Unattend File!TS – Server Core Unattend File!

UnattendUnattendRemote Admin mode in the <settings pass="specialize"> section Remote Admin mode in the <settings pass="specialize"> section add:add:

<component name="Microsoft-Windows-TerminalServices-<component name="Microsoft-Windows-TerminalServices-LocalSessionManager" publicKeyToken="31bf3856ad364e35" LocalSessionManager" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" language="neutral" versionScope="nonSxS" processorArchitecture="x86">processorArchitecture="x86">

<fDenyTSConnections>false</<fDenyTSConnections>false</fDenyTSConnections>fDenyTSConnections></component></component>

To allow pre-Vista/Windows Server 2008 clientsTo allow pre-Vista/Windows Server 2008 clientsIn the <settings pass="specialize"> section add:In the <settings pass="specialize"> section add:

<component name="Microsoft-Windows-TerminalServices-RDP-<component name="Microsoft-Windows-TerminalServices-RDP-WinStationExtensions" publicKeyToken="31bf3856ad364e35" WinStationExtensions" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" language="neutral" versionScope="nonSxS" processorArchitecture="x86">processorArchitecture="x86">

<UserAuthentication>0</UserAuthentication><UserAuthentication>0</UserAuthentication></component></component>

Terminal Services Licensing!Terminal Services Licensing!

Obtaining Client Access LicensesObtaining Client Access Licenses

11 22Connects Requests License

Terminal Server

License Server

Delivers License

3344

TS Per Device CALs

11 22Connects Requests License

TerminalServer

License Server

Stores License3344

Active Directory Domain Services

TS Per User CALs (AD)

TS LicensingTS Licensing

Clearing House

LicenseServer

TerminalServices

Client

TerminalServers

Certificate

Understanding what the Terminal Server Understanding what the Terminal Server Session Broker does!Session Broker does!

Load Balancing The options!Load Balancing The options!

DNS Round RobinDNS Round Robin

Microsoft Network Load Balancing (NLB)Microsoft Network Load Balancing (NLB)

TS Session BrokerTS Session Broker

Standalone TS Vs TS FarmStandalone TS Vs TS Farm

Standalone Instance

Farm

Load BalancingLoad Balancing

TS A (10.0.0.2)

TS B (10.0.0.3)

TS C (10.0.0.4)

Session Broker

DNS


10.0.0.2 MyFarm.com 10.0.0.2 MyFarm.com 10.0.0.3 MyFarm.com 10.0.0.3 MyFarm.com 10.0.0.4 MyFarm.com 10.0.0.4 MyFarm.com

TS A (10.0.0.2)

TS B (10.0.0.3)

TS C (10.0.0.4)

Session Broker

DNS



TS A (10.0.0.2)

TS B (10.0.0.3)

TS C (10.0.0.4)

Session Broker


DNS



DNSTS A (10.0.0.2)

TS B (10.0.0.3)

TS C (10.0.0.4)

Session Broker


TS Load Balancing Limitations!TS Load Balancing Limitations!

You can not Load Balance Remote Programs.... just Published You can not Load Balance Remote Programs.... just Published Desktops. Desktops.

Load balancing is based on sessions only. So, no advanced Load balancing is based on sessions only. So, no advanced load evaluators. The full feature set of 2008 TS now looks like load evaluators. The full feature set of 2008 TS now looks like this: this:

TS Gateway TS Gateway

TS Remote Programs TS Remote Programs

TS Web Access TS Web Access

WRSM For Terminal Servers WRSM For Terminal Servers

TS Easy Print TS Easy Print

TS Session Broker Load Balancing TS Session Broker Load Balancing

Configuring TS Session BrokerConfiguring TS Session BrokerConfiguring TS Session BrokerConfiguring TS Session Broker

Deploying Remote Applications!Deploying Remote Applications!

Terminal Services RemoteAppTerminal Services RemoteApp

MSI packages provide MSI packages provide setup and deployment setup and deployment integrationintegration

Active Directory Group Active Directory Group PolicyPolicy

Systems Management Systems Management ServerServer

ManuManuaall

Shortcuts published toShortcuts published toDesktopDesktop

Start menuStart menu

Add/remove programsAdd/remove programsWinSrv 2008Terminal Server

AD

PublishPublish

Push GP-published Push GP-published applicationsapplications

PublishPublishmanuallymanually

RDP 6 Client

Terminal Services Remote Programs Terminal Services Remote Programs Deployment TipsDeployment Tips

Put common applications on same serverPut common applications on same serveri.e. Microsoft Office Family (Use VLE)i.e. Microsoft Office Family (Use VLE)

Consider putting individual applications on separate Consider putting individual applications on separate servers when:servers when:

Application has compatibility issuesApplication has compatibility issues

A single application and associated users may fill server A single application and associated users may fill server capacitycapacity

Create load-balanced ‘farm’ for single applications that Create load-balanced ‘farm’ for single applications that exceed 1 serverexceed 1 server

Use Microsoft SoftGrid to improve server usage and Use Microsoft SoftGrid to improve server usage and application compatibilityapplication compatibility

Terminal Services App AnalyzerTerminal Services App Analyzer

Tool detecting incompatible app behaviorTool detecting incompatible app behavior1.1. Shared resources – files/registry objectsShared resources – files/registry objects

2.2. Access/privilege issues Access/privilege issues

3.3. Future: Windows API calls with special cases for TSFuture: Windows API calls with special cases for TS

Requires the downloadand the installation of Application Verifier

TS Remote Applications!TS Remote Applications!TS Remote Applications!TS Remote Applications!

Terminal Server Web AccessTerminal Server Web Access

What is TS Web What is TS Web Access?Access?

What are the benefits?What are the benefits?

What are the Server What are the Server requirements?]requirements?]

What are the client What are the client requirements?requirements?

Mobile WorkerMobile WorkerIn AirportIn Airport

Branch OfficeBranch Office

Home OfficeHome Office

TS Web Access


Windows Server 2008Terminal Servers

Active Directory

SessionDirectory

LonghornRDP Client

LoadBalancer

TSWeb Access

HTTPs

RDP

AD Mode

Single Server Mode

Terminal Server Web AccessTerminal Server Web AccessTerminal Server Web AccessTerminal Server Web Access

Security Update!Security Update!Rights Management & More....Rights Management & More....

Emphasis is placed on perimeter based security Emphasis is placed on perimeter based security mechanisms, which block unauthorized accessmechanisms, which block unauthorized access

Transit-based security (Email encryption, IPSec, etc.) Transit-based security (Email encryption, IPSec, etc.) only protects the content while it is moving from one only protects the content while it is moving from one place to anotherplace to another

ACLs also effective for limiting accessACLs also effective for limiting access

However, these mechanisms are powerless to stop However, these mechanisms are powerless to stop data that has been accessed by authorized data that has been accessed by authorized individuals from ‘leaking’ out of the organization via individuals from ‘leaking’ out of the organization via email, print, or copy/pasteemail, print, or copy/paste

Firewalls and ACLs aren't EnoughFirewalls and ACLs aren't Enough

Government and Industry ComplianceGovernment and Industry Compliance

Many Governmental compliance rules Many Governmental compliance rules (HIPAA, Sarbanes Oxley, FDA 21CFR11, etc.) (HIPAA, Sarbanes Oxley, FDA 21CFR11, etc.) require that measures are put into place to require that measures are put into place to safeguard digital informationsafeguard digital information

Expiration of content required for many other Expiration of content required for many other industry and governmental regulationsindustry and governmental regulations

IDA Review: Microsoft ApproachIDA Review: Microsoft Approach

A comprehensive set of IDA platform technologies and applications

Complemented by a broad international partner program

DirectoryServices

StrongAuthentication

FederatedIdentity

InformationProtection

Microsoft SolutionFocus Areas

IdentityLifecycle Mgmt

MicrosoftOffice Windows Web

Portals CardSpace

Extensibility20+ Connectors WS-*

ILM PartnersIDAManagementCapabilities

User andDeveloperExperiences

AD Domain Services

AD Federation Services

AD Rights Management Services

AD CertificateServices

BizTalk .NET Visual Studio ILM SDK

PlatformComponents

IDA Review: Platform ComponentsIDA Review: Platform Components

MicrosoftOffice Windows Web

Portals CardSpace

Extensibility20+ Connectors WS-*


User andDeveloperExperiences

Part of the Windows Server 2008 licensePart of the Windows Server 2008 licenseMicrosoft Active Directory Domain ServicesMicrosoft Active Directory Domain Services

Microsoft Active Directory Certificate ServicesMicrosoft Active Directory Certificate Services

Microsoft Active Directory Federation ServicesMicrosoft Active Directory Federation Services

Premium ProductsPremium ProductsActive Directory Rights Management ServiceActive Directory Rights Management Service

Identity Lifecycle Manager 2007Identity Lifecycle Manager 2007

DirectoryServices

StrongAuthentication

FederatedIdentity

InformationProtection

Microsoft SolutionFocus Areas

IdentityLifecycle Mgmt

AD Domain Services

AD Federation Services

AD Rights Management Services

AD CertificateServices

BizTalk .NET Visual Studio ILM SDK

PlatformComponents

Extensibility


Document Author can define who do the Document Author can define who do the following:following:

View documentView document

Edit documentEdit document

Print documentPrint document

Copy/PasteCopy/Paste

RMS Gives Authors ControlRMS Gives Authors Control

1.1. On first use, authors On first use, authors receive client licensor receive client licensor certificate from RMS certificate from RMS serverserver

2.2. Author creates content Author creates content and assigns rightsand assigns rights

3.3. File is distributed to File is distributed to recipient(s)recipient(s)

4.4. Recipient opens file, Recipient opens file, and their RMS client and their RMS client contacts server for user contacts server for user validation and to obtain validation and to obtain a licensea license

5.5. Application opens the Application opens the file and enforces the file and enforces the restrictionsrestrictions

How RMS WorksHow RMS Works

It can’t stop a determined information thiefIt can’t stop a determined information thief

It can’t stop a person from taking digital picturesIt can’t stop a person from taking digital pictures

It can’t stop a third-party screenshot utility from It can’t stop a third-party screenshot utility from taking pictures of the contenttaking pictures of the content

It can’t use an existing PKI implementationIt can’t use an existing PKI implementation

A deployed RMS server is NOT the root, Microsoft is A deployed RMS server is NOT the root, Microsoft is the root authority.the root authority.

For an internal solution to be effective, there needs For an internal solution to be effective, there needs to be access to the RMS server from wherever to be access to the RMS server from wherever documents will be accesseddocuments will be accessed

What RMS cannot do…What RMS cannot do…

Windows Rights Management ClientWindows Rights Management ClientIncluded in Windows VistaIncluded in Windows Vista

Windows RMS SP2 Client x86 (Supports XP, 2003 Windows RMS SP2 Client x86 (Supports XP, 2003 Server, Windows 2000)Server, Windows 2000)

Windows RMS SP2 Client x64Windows RMS SP2 Client x64

Windows RMS SP2 Client IA64Windows RMS SP2 Client IA64

Rights Management Add-on for Internet ExplorerRights Management Add-on for Internet Explorer

Office client supportOffice client supportOffice 2003Office 2003

Office 2007Office 2007

RMS Client PrerequisitesRMS Client Prerequisites

Setting User Permissions!Setting User Permissions!

Rights Management!Rights Management!Rights Management!Rights Management!

Sounds ok, but why do I need this stuff Sounds ok, but why do I need this stuff anyway?anyway?

Ok Real World Security Examples!Ok Real World Security Examples!

Time for Some Inside Information!Time for Some Inside Information!

Google HackingGoogle Hacking

Various usernames and passwords (both encrypted Various usernames and passwords (both encrypted and in plain text) and in plain text)

Internal documents Internal documents

Internal site statistics Internal site statistics

Intranet access Intranet access

Database access Database access

Mail server access Mail server access

And much, much moreAnd much, much more

Google Hacking Examples!Google Hacking Examples!

Site:com filetype:xls "Accounts"Site:com filetype:xls "Accounts"

site:gov.uk filetype:xls userssite:gov.uk filetype:xls users

site:gov.uk filetype:doc staffsite:gov.uk filetype:doc staff

site:gov.uk filetype:ini WS_FTP PWDsite:gov.uk filetype:ini WS_FTP PWD

site:gyhs.co.uk "index of /" password.txtsite:gyhs.co.uk "index of /" password.txt

site:co.uk "index of /" +passwdsite:co.uk "index of /" +passwd

site:dk +hotel filetype:xlssite:dk +hotel filetype:xls

site:com +password filetype:xlssite:com +password filetype:xls

Inurl:admin users passwordsInurl:admin users passwords

inurl:admin intitle:index.ofinurl:admin intitle:index.of

"Microsoft-IIS/5.0 Server at""Microsoft-IIS/5.0 Server at" intitle:index.ofintitle:index.of

What the Bad Guys Use!What the Bad Guys Use!Google Hacking!Google Hacking!What the Bad Guys Use!What the Bad Guys Use!Google Hacking!Google Hacking!

What the Bad Guys Use!What the Bad Guys Use!Goolag!Goolag!What the Bad Guys Use!What the Bad Guys Use!Goolag!Goolag!

Don’t Get Google Hacked!Don’t Get Google Hacked!

Keep sensitive information off the internet. Keep sensitive information off the internet.

Be careful how you write your scripts and access Be careful how you write your scripts and access your databases. your databases.

Use robots.txt to let Google know what parts of Use robots.txt to let Google know what parts of your website it is ok to index. Specify which parts your website it is ok to index. Specify which parts of the website are “off bounds”. of the website are “off bounds”.

Ensure directory rights on your web server are in Ensure directory rights on your web server are in order. order.

Monitor your site for common errors. Monitor your site for common errors.

““Google hack” your own website. Google hack” your own website.

Create a Robots.txtCreate a Robots.txt

Time to Snoop!Time to Snoop!

What The Bad Guys Use!What The Bad Guys Use!BidiBlah!BidiBlah!What The Bad Guys Use!What The Bad Guys Use!BidiBlah!BidiBlah!

Undetectable & Unbreakable EncryptionUndetectable & Unbreakable Encryption!!

Creates a virtual encrypted disk Creates a virtual encrypted disk within a file and mounts it as a real within a file and mounts it as a real disk. disk.

Encrypts an entire partition or Encrypts an entire partition or storage device such as USB flash storage device such as USB flash drive or hard drive.drive or hard drive.

Encryption is automatic, real-time Encryption is automatic, real-time (on-the-fly) and transparent.(on-the-fly) and transparent.

Provides two levels of plausible Provides two levels of plausible deniability, in case an adversary deniability, in case an adversary forces you to reveal the password:forces you to reveal the password:

Hidden volume (steganography) Hidden volume (steganography) and hidden operating system.and hidden operating system.

No TrueCrypt volume can be No TrueCrypt volume can be identified (volumes cannot be identified (volumes cannot be distinguished from random data).distinguished from random data).

Encryption algorithms: AES-256, Encryption algorithms: AES-256, Serpent, and Twofish. Mode of Serpent, and Twofish. Mode of operation: XTS. operation: XTS.

What the bad guys use!What the bad guys use!True Crypt! & HashTabTrue Crypt! & HashTabWhat the bad guys use!What the bad guys use!True Crypt! & HashTabTrue Crypt! & HashTab

SteganographySteganography

The basic idea behind this The basic idea behind this solution is that one "borrows" the solution is that one "borrows" the least significant bit of the red least significant bit of the red value in a BMP to store 1/8 of a value in a BMP to store 1/8 of a character. character.

The bitmap gets slightly distorted The bitmap gets slightly distorted (zero or 1/256 red color change), (zero or 1/256 red color change), but it isn't noticeable in BMP's but it isn't noticeable in BMP's with 16, 24 or 32-bit colors. Even with 16, 24 or 32-bit colors. Even with a plain, white BMP created with a plain, white BMP created with Paint you can't see it. with Paint you can't see it.

A Character #0 in the input string A Character #0 in the input string is the EOL indicator. It is added is the EOL indicator. It is added as the input text is cast to a as the input text is cast to a PChar.PChar.Maximum message size would Maximum message size would be:be:

What the bad guys use!What the bad guys use!Stenography!Stenography!What the bad guys use!What the bad guys use!Stenography!Stenography!

This Session Covered!This Session Covered!

Terminal Services! What is it and why you need it!Terminal Services! What is it and why you need it!

Deploying Terminal ServicesDeploying Terminal Services

Understanding TS Licensing & TS Session Broker!Understanding TS Licensing & TS Session Broker!

Deploying TS Remote Programs!Deploying TS Remote Programs!

TS Web AccessTS Web Access

Security Update: ADRMS & Other Stuff!Security Update: ADRMS & Other Stuff!

Conclusions!Conclusions!

Thank you for attending

Thank you for attending this TechNet Event

Find these slides at:http://www.microsoft.com/uk/technetslides

http://www.microsoft.com/uk/technetslides

Andy Malone MVP,MCT, Technology Evangelist Quality Training (Scotland) Ltd & Microsoft (UK)...

Documents

Transcript of Andy Malone MVP,MCT, Technology Evangelist Quality Training (Scotland) Ltd & Microsoft (UK)...